CMIA (California Confidentiality of Medical Information Act)

The CMIA predates HIPAA by over a decade and in several key areas provides more stringent protections. While HIPAA preempts state laws that are less protective, the CMIA survives because it exceeds HIPAA's requirements. Notably, the CMIA grants patients a private right of action, meaning individuals can sue healthcare providers directly for unauthorized disclosures, with statutory damages of $1,000 per violation plus actual damages, attorney fees, and costs. HIPAA provides no such private right of action; enforcement is limited to HHS and state attorneys general.

The CMIA also defines "medical information" more broadly than HIPAA's "protected health information." It covers any individually identifiable information in possession of a provider of healthcare regarding a patient's medical history, mental or physical condition, or treatment, without HIPAA's limitation to information transmitted or maintained in certain forms. The 15-business-day breach notification requirement (vs. HIPAA's 60 days) means California facilities must have incident response procedures that can execute rapidly.

Healthcare facilities operating in California must comply with both HIPAA and the CMIA simultaneously, applying whichever standard is more protective in each situation. BayArea Compliance's HIPAA|360 program is designed for California providers and addresses both frameworks. Our privacy policies, training materials, and breach response procedures account for CMIA's stricter timelines, broader definitions, and private right of action, protections that HIPAA-only programs routinely miss.